Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
J1un7vGf29.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J1un7vGf29.exe_5cd87136c5f8c6d2a2edad2aab90e620989ace30_5a213bd4_6075f31e-8a75-4958-baa0-25eb9dc96c5d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD85B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:15 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB1B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB4B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\J1un7vGf29.exe
|
"C:\Users\user\Desktop\J1un7vGf29.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -pss -s 476 -p 1080 -ip 1080
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 1080 -s 996
|
There are 27 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://185.101.104.122/plushvcionbronkz.exe
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://185.101.104.122/plushvciforabronkz.exeC:
|
unknown
|
||
http://185.101.104.122/plushvciforabronkz.exe
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html#
|
unknown
|
||
https://keyauth.win/api/1.2/
|
unknown
|
||
https://keyauth.win/api/1.1/
|
104.26.0.5
|
||
http://185.101.104.122/plushvcionbronkz.exeC:
|
unknown
|
||
https://keyauth.win/api/1.1/emNU
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
keyauth.win
|
104.26.0.5
|
||
241.42.69.40.in-addr.arpa
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.26.0.5
|
keyauth.win
|
United States
|
||
127.0.0.1
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
ProgramId
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
FileId
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
LowerCaseLongPath
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
LongPathHash
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Name
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
OriginalFileName
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Publisher
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Version
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
BinFileVersion
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
BinaryType
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
ProductName
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
ProductVersion
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
LinkDate
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
BinProductVersion
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
AppxPackageFullName
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Size
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Language
|
||
\REGISTRY\A\{3579996d-d596-6f3a-c099-36a8f8299519}\Root\InventoryApplicationFile\j1un7vgf29.exe|655ab76828a97449
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
CEDE9FE000
|
stack
|
page read and write
|
||
2B65F6D0000
|
heap
|
page read and write
|
||
269A19A0000
|
remote allocation
|
page read and write
|
||
53D5A7E000
|
stack
|
page read and write
|
||
1ED503D0000
|
heap
|
page read and write
|
||
5A1308D000
|
stack
|
page read and write
|
||
17FBCC90000
|
heap
|
page read and write
|
||
269A1A3C000
|
heap
|
page read and write
|
||
275FF800000
|
heap
|
page read and write
|
||
269A33F0000
|
heap
|
page read and write
|
||
269A1A16000
|
heap
|
page read and write
|
||
1DFBE8D0000
|
heap
|
page read and write
|
||
2B65F7D5000
|
heap
|
page read and write
|
||
1DFBEA30000
|
heap
|
page read and write
|
||
269A1960000
|
heap
|
page read and write
|
||
275FF805000
|
heap
|
page read and write
|
||
275FF5E9000
|
heap
|
page read and write
|
||
269A1A16000
|
heap
|
page read and write
|
||
269A3470000
|
heap
|
page read and write
|
||
1ED501F0000
|
heap
|
page read and write
|
||
2B65F508000
|
heap
|
page read and write
|
||
1DFBE6D8000
|
heap
|
page read and write
|
||
269A1A19000
|
heap
|
page read and write
|
||
17EE3380000
|
heap
|
page read and write
|
||
7FF63D948000
|
unkown
|
page read and write
|
||
7FF63D8D1000
|
unkown
|
page execute read
|
||
269A33F3000
|
heap
|
page read and write
|
||
269A19BC000
|
heap
|
page read and write
|
||
17EE3460000
|
heap
|
page read and write
|
||
17EE3580000
|
heap
|
page read and write
|
||
269A19FC000
|
heap
|
page read and write
|
||
CEDEBFE000
|
stack
|
page read and write
|
||
DAD267F000
|
stack
|
page read and write
|
||
269A1A12000
|
heap
|
page read and write
|
||
269A19A0000
|
remote allocation
|
page read and write
|
||
7FF63D8D0000
|
unkown
|
page readonly
|
||
17EE3635000
|
heap
|
page read and write
|
||
269A19E9000
|
heap
|
page read and write
|
||
275FF4E0000
|
heap
|
page read and write
|
||
53D5AFE000
|
unkown
|
page readonly
|
||
1DFBE7D0000
|
heap
|
page read and write
|
||
91EEAFE000
|
stack
|
page read and write
|
||
17FBCB90000
|
heap
|
page read and write
|
||
269A1A35000
|
heap
|
page read and write
|
||
275FF5E0000
|
heap
|
page read and write
|
||
269A19FC000
|
heap
|
page read and write
|
||
1ED50249000
|
heap
|
page read and write
|
||
269A3465000
|
heap
|
page read and write
|
||
17EE3630000
|
heap
|
page read and write
|
||
269A3460000
|
heap
|
page read and write
|
||
2B65F4F0000
|
heap
|
page read and write
|
||
269A19A0000
|
remote allocation
|
page read and write
|
||
53D577D000
|
stack
|
page read and write
|
||
91EE7FE000
|
stack
|
page read and write
|
||
D81E77F000
|
stack
|
page read and write
|
||
E92FCFF000
|
stack
|
page read and write
|
||
CEDE53B000
|
stack
|
page read and write
|
||
D81E34D000
|
stack
|
page read and write
|
||
269A1A3D000
|
heap
|
page read and write
|
||
17EE3467000
|
heap
|
page read and write
|
||
1ED503D5000
|
heap
|
page read and write
|
||
269A1A12000
|
heap
|
page read and write
|
||
269A19E4000
|
heap
|
page read and write
|
||
17FBCF40000
|
heap
|
page read and write
|
||
17FBCF45000
|
heap
|
page read and write
|
||
5A134FF000
|
stack
|
page read and write
|
||
CEDEAFF000
|
stack
|
page read and write
|
||
269A3370000
|
heap
|
page read and write
|
||
269A1A20000
|
heap
|
page read and write
|
||
5A1318F000
|
stack
|
page read and write
|
||
7FF63D931000
|
unkown
|
page readonly
|
||
269A1A0D000
|
heap
|
page read and write
|
||
7FF63D8D0000
|
unkown
|
page readonly
|
||
DAD277F000
|
stack
|
page read and write
|
||
269A1A0A000
|
heap
|
page read and write
|
||
269A1970000
|
heap
|
page read and write
|
||
269A1A16000
|
heap
|
page read and write
|
||
269A19B0000
|
heap
|
page read and write
|
||
1DFBEA35000
|
heap
|
page read and write
|
||
17EE3560000
|
heap
|
page read and write
|
||
7FF63D949000
|
unkown
|
page readonly
|
||
CEDE8FE000
|
stack
|
page read and write
|
||
2B65F6F0000
|
heap
|
page read and write
|
||
7FF63D949000
|
unkown
|
page readonly
|
||
269A346B000
|
heap
|
page read and write
|
||
1ED500F0000
|
heap
|
page read and write
|
||
269A5100000
|
trusted library allocation
|
page read and write
|
||
17FBCBB0000
|
heap
|
page read and write
|
||
CEDECFF000
|
stack
|
page read and write
|
||
1DFBE8B0000
|
heap
|
page read and write
|
||
269A1A12000
|
heap
|
page read and write
|
||
17FBCAB0000
|
heap
|
page read and write
|
||
269A1A3C000
|
heap
|
page read and write
|
||
E92F8FD000
|
stack
|
page read and write
|
||
1DFBE6D0000
|
heap
|
page read and write
|
||
7FF63D8D1000
|
unkown
|
page execute read
|
||
275FF5C0000
|
heap
|
page read and write
|
||
275FF6E0000
|
heap
|
page read and write
|
||
DAD237C000
|
stack
|
page read and write
|
||
E92F9FE000
|
stack
|
page read and write
|
||
17FBCC98000
|
heap
|
page read and write
|
||
2B65F7D0000
|
heap
|
page read and write
|
||
1ED50240000
|
heap
|
page read and write
|
||
7FF63D948000
|
unkown
|
page write copy
|
||
1ED501D0000
|
heap
|
page read and write
|
||
269A1A06000
|
heap
|
page read and write
|
||
91EE6FC000
|
stack
|
page read and write
|
||
2B65F500000
|
heap
|
page read and write
|
||
7FF63D931000
|
unkown
|
page readonly
|
||
269A3320000
|
heap
|
page read and write
|
||
D81E67F000
|
stack
|
page read and write
|
There are 101 hidden memdumps, click here to show them.